Businesses in highly regulated industries such as finance and healthcare are constantly faced with changing compliance regulations. The same goes for businesses working closely with state and local governments. New policies and rules often need to be aligned throughout multiple levels of an organization, and the role of "ethics and compliance professional" often falls on the human resources (HR) managers and information technology (IT) departments overseeing responsibilities such as infrastructure management, network security, and mobile device management (MDM) to ensure the business remains compliant.
Continue Reading Below
But how can businesses remain compliant? According to new research from NAVEX Global, the answer may be by using better automated policy management software. The company's 2016 Ethics & Compliance Policy Management Benchmark Report surveyed 1,075 respondents globally (75 percent in the US) across a wide range of industries. These industries included healthcare, manufacturing, and banking and finance to nonprofits, insurance, energy and utilities, government and administration, and technology businesses. The report surveyed senior executives and managers in charge of ethics and compliance about their current challenges with policy management, and what strategies and solutions could improve the process in their organization.
We spoke to Randy Stephens, Vice President of Advisory Services at NAVEX Global (and the report's co-author) about key takeaways from the research, and how businesses can tackle proactive compliance, both from a technology and an organizational standpoint.
"What we've found is, generally, and this was not a surprise, a lot of people are unhappy with their policy management programs when it comes to compliance. Even with those who are happy, there's always room for improvement," said Stephens. "We saw that both the budget and responsibility for policy management can be spread across a large group of business units, and that dispersed responsibility within the organization can contribute to a lack of efficiency."
Breaking Down the ReportThe NAVEX Global research sample spanned respondents at small (25 percent), midsize (31 percent), and enterprise (43 percent) businesses, with revenues spanning from less than $50 million to more than $1 billion, as well as government and nonprofit organizations. The most common type of respondents were dedicated ethics and compliance professionals, but the research also included respondents like business analysts and HR, IT, internal audit, legal, risk management, and security professionals managing compliance within their organization.
The following are a few key takeaways from the report. Respondents could select multiple answers:
- Nearly half of organizations (47 percent) said their top policy management challenge is keeping policies up to date with new and changing regulations.
- Other top policy management challenges included training employees on policies (40 percent), policy redundancy and inaccuracy (32 percent), demands specifically related to legal compliance (31 percent), easy access to current policies and procedures (28 percent), and document management (DM) (23 percent).
- More than 50 percent of organizations have seven or more departments with some ownership of policy management and budgeting process, and nearly 50 percent said they either don't have funding for policy management or that it's part of a company-wide budget.
- 57 percent of respondents use online training to ensure policy comprehension, followed closely by 55 percent who use in-person training.
- The report found that automated software improved policy management execution by 16 percent overall, with particular effectiveness in improving the efficiency of policy quality, communication, workflow, and access.
NAVEX Global provides compliance and policy management software, services, and consulting. Stephens acknowledged that the company does have a vested interest in the use of automated software but stressed that the report is vendor-agnostic.
"One of the top challenges is keeping up with changing laws and regulations," said Stephens. "That's one of the areas where people really struggled. The way the automated process comes into play is that the policies in an effective program are regularly reviewed—updating, translation, version control, everything you need to make sure people have access to the latest policy. Ultimately, what was most obvious in the report is that the people with an automated policy management process, a software-driven strategy, were the ones that perceived their programs to be the most effective. And that was true of every single criteria."
5 Policy Management Steps Your Business Can TakePolicy management software can differ a lot depending upon the industry. From online health insurance-compliance training software such as Accountable to specialized solutions for existing collaboration and DM software such as Microsoft SharePoint Online, solutions come in all shapes and sizes, and vary depending upon how deeply they're integrated with existing systems.
But, regardless of the system your business is using to manage compliance and policies, Stephens said there are several key organizational steps you can take to improve policy management and accountability, while ensuring everyone in the organization is up-to-date. The following are his five recommendations:
1. Dedicated Policy OwnersStephens said compliance failures can often stem from nobody checking up on a policy for months or years after it's been instituted. Companies can run into trouble when it comes to accountability or disciplinary actions if an employee violates a policy but the compliance officer can't even put his or her finger on what policy was violated.
"Policies need to have an owner," said Stephens. "Sometimes there may be multiple parties who have input, but someone needs to own that policy and make sure it's reflecting changes in laws, regulations, and company practices.
2. Easy Access and AvailabilityStephens said polices are often spread throughout the organization, from HR and IT policies to health and safety polices. So businesses need to make sure the polices are readily available, be it through policy management software, a company intranet or HR portal, or a DM platform.
"When employees have a question, they need to be able to look at the policy. If they can't find it, they can't be trained," said Stephens. "That's where automated solutions are the hands-down winners because those policies are housed in a central location. SharePoint sites and intranet sites can work, but in those you often find there is still a lack of centralized control. If you can't make that policy readily available and understandable to the bulk of users, you're not going to have good compliance."
3. Interdepartmental CommunicationDelegating responsibilities and policy management across departments within an enterprise or large organization requires open communication to make sure everything stays synced. Stephens said that whether it's through some kind of policy committee or a regular review, businesses need compliance officers to collaborate across the organization and agree on common points such as disciplinary action.
"Think about the legal department needing to look at policies from a regulatory standpoint, and then the developmental group or HR team looking at the policies to make sure they're easy to read and understandable," said Stephens. "Bring those people together on a regular basis to ensure responsibility and make sure policies are getting updated and made available to everyone."
4. Online TrainingStephens said one of the main takeaways from the survey is that online training is the most effective way to deliver policy change updates and ensure organization-wide awareness. PCMag has reviewed a number of great online learning platforms and learning management systems (LMS) that can deliver this type of training information to employees, including Editors' Choice Docebo.
"It's about tying policies and training together in a seamless way," said Stephens. "Doing this with an automated system, it's easy to track who saw the policy email or training on a new or updated policy, who read it, who acknowledged it, and who completed the certification."
5. Automation and Incident ManagementStephens explained that automated software is the easiest way to control the process of creating, updating, reviewing, and posting policies. Version control is also important, allowing businesses to track who's reviewed or updated a policy and whether or not they're dealing with the most recent version. On that point, Stephens said it's important to limit policy access and tie policy updates in with incident management for more proactive compliance.
"Especially when you're dealing with policies across different department and multiple countries for multinational organizations, this access and visibility makes sure a policy really applies, let's say, to your employees in the UK," explained Stephens. "And then you have version control to see what changes were made and who reviewed it, and send out the update quickly to the user letting them know you've made a change to their travel policy."
"Then, while you're managing what you've shared with users and monitoring what you've trained them on, you can also link it into incident management reporting," he added. "If a user has a question or an issue, you can raise an issue and automatically convert that into a report to add a greater degree of efficiency to compliance to whatever policy you're dealing with. You can't expect people to adhere to a policy if they have no idea what the expectations are."